New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released

2026-04-14

1 min read

by info@thehackernews.com (The Hacker News)

Read Original

Get the latest tech trends every morning

Receive daily AI-curated summaries of engineering articles from top tech companies worldwide.

Endigest AI Core Summary

Two high-severity security vulnerabilities in Composer, a PHP package manager, could enable arbitrary command execution through command injection flaws in the Perforce VCS driver.

•CVE-2026-40176 (CVSS 7.8): Improper input validation allowing attackers to inject arbitrary commands via malicious composer.json files with Perforce VCS repository declarations
•CVE-2026-40261 (CVSS 8.8): Inadequate escaping enabling command injection through crafted source references containing shell metacharacters
•Affected versions: 2.3 to 2.9.6 (fixed in 2.9.6) and 2.0 to 2.2.27 (fixed in 2.2.27)
•Commands execute even if Perforce VCS is not installed on the system
•Mitigation includes inspecting composer.json files, using trusted repositories only, and disabling --prefer-dist installation method

New PHP Composer Flaws Enable Arbitrary Command Execution — Patches Released

Get the latest tech trends every morning

Endigest AI Core Summary

Related Articles

Privacy-first connections: Empowering social experiences at Airbnb

Google Adds Rust-Based DNS Parser into Pixel 10 Modem to Enhance Security

AI-Driven Pushpaganda Scam Exploits Google Discover to Spread Scareware and Ad Fraud

Mirax Android RAT Turns Devices into SOCKS5 Proxies, Reaching 220,000 via Meta Ads